Dear John, There is no "official" description of a NAT based trihomed DMZ config. However, it can be done with a little elbow grease and ingenuity. I go over those scenarios in the ISA Server and Beyond book. Also, You never read my stuff anymore :( Check out: http://www.isaserver.org/tutorials/Configuring_VPN_Access_in_a_Back_to_B ack_ISA_Server_Environment.html HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] Sent: Wednesday, October 30, 2002 5:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Stateful inspection http://www.ISAserver.org Are you saying that with a NAT based DMZ, ISA will then do stateful packet? Will it also then do stateful packet to a NAT based DMZ on a tri-homed? But if what you are suggesting, Internet | ISA1 | DMZ using NAT | ISA2 Internal Network with NAT Wouldn't that break a VPN between a node on the internet and ISA2? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. La Habra, CA 90631 www.reliancesoft.com -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, October 30, 2002 2:52 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Stateful inspection http://www.ISAserver.org Hi John, Just try it out. You'll see that you have to create explicit packet filters to allow inbound access and outbound responses. The packet filtering mechanism won't track the state of the connection. That's why we always try to steer you away from using ISA Server as a packet filtering router. You get the same packet filtering capabilities as you get with the Win2k RRAS filters. The POWER is in the private address DMZ. You can create a private address DMZ in a back to back setup, or you can leverage several methods to create a LAT-based DMZ segment. HTH, Tom -----Original Message----- From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] Sent: Wednesday, October 30, 2002 4:05 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Stateful inspection http://www.ISAserver.org No. That's why packet filters and trihomed DMZ (including public address DMZs), suck. :-) Tom, are you serious? ISA does not do stateful packet in the DMZ? :-( Do the other vendors? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer 701 S. Euclid La Habra, CA 91631 562-694-4800, ext. 104 jtolmachoff@xxxxxxxxxxxxxxxx www.reliancesoft.com <http://www.reliancesoft.com/> ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')